Microsoft is replacing classic Windows Autopilot with the new Autopilot Device Preparation — faster, cloud-native and now available for Windows 365 Cloud PCs. Windows also now installs security updates automatically during the initial device setup.
If you manage devices, you know the scenario: a new laptop arrives but immediately requires manual steps because its Windows installation is weeks old and missing recent security patches. That changes from 13 January 2026. Windows now automatically installs the latest quality updates during the Out-of-Box Experience (OOBE) before the device is handed to the end user.
Until now, devices were delivered with the factory Windows version — often weeks old and missing the most recent security patches. Every new device started its life already behind. The new automatic OOBE quality update resolves this permanently: every device begins up to date.
Administrators can control this behaviour through a new setting in the Intune Enrollment Status Page (ESP): Install Windows quality updates. If you need to block the update for specific deployment scenarios where speed outweighs completeness, that remains possible.
Beyond the OOBE update, Windows Autopilot Device Preparation is the most significant change in device management. This next-generation Autopilot is fully Intune-native and has no dependency on legacy Autopilot infrastructure. The provisioning process is faster, troubleshooting is simpler and the integration with Intune is deeper.
What has specifically improved? The maximum number of apps configurable in a Device Preparation policy has been raised to 25. Enterprise App Catalog apps can now be used as blocking apps in the ESP profile. And for failed deployments, diagnostic logs can be downloaded directly from the deployment status report in Intune — no manual log collection required.
A notable expansion is support for Autopilot Device Preparation for Windows 365 Enterprise, Frontline dedicated mode and Cloud Apps. IT teams can now provision virtual Cloud PCs using exactly the same Intune workflow as physical devices. This is valuable for organisations running a mixed fleet of physical and virtual workspaces.
For Windows 365 Frontline shared mode, a new automatic provisioning mode significantly simplifies the setup of shared Cloud PCs.
Review your current ESP profile settings and make a deliberate decision about whether to allow or block automatic OOBE quality updates. Test your Device Preparation policy with the new 25-app limit and verify which apps are configured as blocking apps. Enable diagnostic logging so that failed deployments can be investigated immediately without manual log retrieval.
Need help optimising your Intune deployment workflow or migrating to Autopilot Device Preparation? Contact Zarioh Digital Solutions.
